1

CONFIDENTIAL

5/8/2018

Web Application Security Audit Report

http://npccindia.com/

Recon Business Advisory Pvt. Ltd. F-8,3RD FLOOR, KALKAJI MAIN ROAD, NEW DELHI PIN-110019.

2

CONFIDENTIAL

Confidential

Confidential : The content of this document is confidential and may not be used by parties other than without authorization

3

CONFIDENTIAL

Document and Control information

Item Client Description

Document Name Web Application Security Audit Report of NPCC

Client Name Global Infosys

Audit Duration 07th Aug to 08th Aug 2018

Initial Report Date 08th Aug 2018

Status Report Date NA

Closing Report Date NA

Report Version 1.0

Hand Over to Shikha

Item Company Description

Author Recon Business Advisory Pvt ltd.

Auditor Name Shudhanshu Singh

Reviewed By Rishesh Kumar Gupta

4

CONFIDENTIAL

Table of Contents 1. Executive Summary........................................................................................................................... 5

2. Intended Audience ............................................................................................................................ 5

3. Assessment Objectives ..................................................................................................................... 5

4. Application Credentials and URL ...................................................................................................... 5

5. Assessment Methodology ................................................................................................................ 6

6. OWASP Top 10 Application Security Risks ........................................................................................ 8

7. Assessment Scope ........................................................................................................................... 10

8. Issues Encountered ......................................................................................................................... 10

9. Key Findings .................................................................................................................................... 11

10. Vulnerability Details ........................................................................................................................ 12

10.1 Sql Injection ................................................................................................................................ 12

Error based SQL injection ......................................................................................................................... 12

10.2 Unrestricted File Upload ............................................................................................................. 14

Malicious File Upload ............................................................................................................................... 14

10.3 Using Component with Known Vulnerability .............................................................................. 16

Vulnerable Asp.Net Version ..................................................................................................................... 16

10.4 Microsoft Tild directory enumeration ........................................................................................ 17

Microsoft Tild directory enumeration ...................................................................................................... 17

10.5 Cookie without HttpOnly Flag set ............................................................................................... 18

Asp .net Version disclosure ...................................................................................................................... 18

10.6 Using Known Vulnerable component ......................................................................................... 20

Vulnerable Jquery ..................................................................................................................................... 20

5

CONFIDENTIAL

1. Executive Summary

Recon Business Advisory Pvt. Ltd. carried out Web Application security assessment of the

following website 07th AUG to 08th AUG 2018 from Recon, New Delhi.

http://npccindia.com/

2. Intended Audience

This document is primarily meant for the Global Infosys client. Further distribution of this

document entirely lies to the discretion of the Global Infosys client.

3. Assessment Objectives

The security assessment of the application http://npccindia.com/ was requested. The

application primarily is meant for critical business transactions in Global Infosys client.

The purpose of this assessment is to discover the vulnerabilities in web application and to

indicate the subsequent risk level associated with the vulnerabilities.

4. Application Credentials and URL The security assessment was done on the following URL/s:

http://npccindia.com/

6

CONFIDENTIAL

5. Assessment Methodology

A hybrid approach is followed to perform the assessment that is a combination of tools is used to discover the wide range of vulnerabilities. Additionally, the assessment being adaptive in nature allows us to control the assessment methodology as per the application functionality to focus on the critical areas of the application. The attack vectors are controlled as per the assessment needs and the attack selection ensures maximum coverage of the application.

Following diagram represents the assessment approach:

7

CONFIDENTIAL

The table below describes various levels and types of assessment. The type of assessment done for current assessment is available in the “Assessment Scope” section of the document.

Scan/Audit Type

Level Type Information

1 Safe

Safe scan discovers minimum types and instances of vulnerabilities. The safe scan mode avoid fault injection such as Java Scripts, HTML tags, crafted SQL queries etc. to ensure that the application retains its state at the end of the assessment. Any fault injections that may trigger Denial of Service situation are avoided in safe scans. Safe scan suits most when the assessment is to be done on a live application instance, and has already undergone either Standard or Destructive scan/s.

2 Standard

Standard scan discovers and exploits most standard checks such as OWASP Top 10 checks. The standard scan performs fault injection such as Java Scripts injection, HTML tag injection, crafted SQL queries etc. Any fault injections that may trigger Denial of Service situation are avoided in standard scans. Standard scan suits most when the assessment is to be done on a staging/pre-prod/testing application instance.

3 Destructive

Destructive scan discovers and exploits most comprehensive checks including checks that may trigger Denial of Service Attacks situations for the application. Destructive scan is usually done on staging/pre-prod/testing application instance. A destructive scan on a live environment is avoided on live/production systems unless it is really required.

The vulnerabilities discovered are associated with a risk level that indicates how critical the vulnerability is and helps application owners/developers to prioritize the vulnerabilities and choose an appropriate mitigation approach.

8

CONFIDENTIAL

Risk Level Information and Necessary Actions

Risk Level Risk Description and Necessary Action

High

The high risk level indicates maximum risk associated with a specific vulnerability instance. Such vulnerability may enable an attacker to successfully exploit the underlying application and its data and partially or completely to compromise the application and its data to modify application behaviour to become other than its original intended purpose. The vulnerability marked as “High Risk” is recommended to be handled with utmost priority.

Medium

The medium risk level indicates considerable risk associated with a specific vulnerability instance. Such vulnerability may enable an attacker to exploit the underlying application and its data to a particular level so that the attacker can gain low level information about the application. Such information can be used by an attacker to craft more specific attacks based on the information collected. The vulnerability marked with “Medium Risk” should be mitigated at the earliest or soon after “High Risk” vulnerabilities are mitigated.

Low

The low risk level indicates lowest risk associated with a specific vulnerability instance. Such vulnerability may allow an attacker to gain some information about the application which was not intended to be known otherwise. The attacker may not have exploiting techniques available at that instance based on the information revealed by the system. The vulnerability marked with “Low Risk” can be mitigated soon after high and medium risk vulnerabilities are mitigated.

Ease of Exploit level information

6. OWASP Top 10 Application Security Risks

Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organization focused on improving the security of application software. The table below lists Top 10 identified security risks by OWASP:

Risk Information

A1 Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2 Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3 Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data

9

CONFIDENTIAL

and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4 Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5 Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6 Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7 Missing Function Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8 Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9 Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10 Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

More information about OWASP can be found at: http://www.owasp.org

10

CONFIDENTIAL

7. Assessment Scope

The application security assessment is done on but not limited to the following controls:

Authentication

Authorization

Session Management

Input Validation

Error Handling

Cryptography

Following were not a part of this assessment:

DOS

Scan type:

Assessment type Selected

Safe checks yes

Standard/OWASP Top 10 Yes

Destructive No

8. Issues Encountered

There were no issues encountered for this application.

11

CONFIDENTIAL

9. Key Findings

No. Vulnerability Name Risk Status

1. Sql Injection High Open

2. Malicious File upload High Open

3. Asp .net vulnerable version High Open

4. Microsoft Tild directory enumeration High Open

4. Cookie Without HttpOnly Flag Set Low Open

5. Vulnerable jquery Low Open

12

CONFIDENTIAL

10. Vulnerability Details

10.1 Sql Injection

Name of Vulnerability Error based SQL injection

URL http://npccindia.com/admin/Changepas

sword.aspx

Risk High

CVE/CWE-ID CWE-209,89

Description:

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server.

Proof of Concept:

13

CONFIDENTIAL

Recommendation:

The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string into which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.

Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

14

CONFIDENTIAL

10.2 Unrestricted File Upload

Name of Vulnerability Malicious File Upload

URL http://npccindia.com/

Risk High

CVE/CWE-ID CWE-434

Description: The HTTP responses returned by this web application include anheader named X-AspNet-Version. The value of this header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites and should be disabled. ASP.NET debugging is enabled on this application. It is recommended to disable debug mode before deploying a production application. By default, debugging is disabled, and although debugging is frequently enabled to troubleshoot a problem, it is also frequently not disabled again after the problem is resolved.

Proof of Concept:

http://npccindia.com/admin/Addfile.aspx

Uploading a pdf with malicious script: "><b onmouseover=prompt('Hack')>click me! </b>

15

CONFIDENTIAL

File Successfully uploaded and path disclosure as well Writereaddata/data/Downloads/java56766.pdf

Recommendation:

Based on this context, the goals here are:

For Word/Excel/Powerpoint/Pdf documents: Detect when a document contains "code"/OLE package, if it's the case then block the upload process.

16

CONFIDENTIAL

For Images document: Sanitize incoming image using re-writing approach and then disable/remove any "code" present (this approach also handle case in which the file sent is not an image).

Remarks:

It's technically possible to perform sanitizing on Word/Excel/Powerpoint/PDF documents but we have choosen here the option to block them in order to avoid the risk of missing any evasion technics and then let pass one evil document. The following site show how many way exists to embed Macro into a Microsoft Office documents.

The other reason why we have choosen the blocking way is that for Word/Excel/Powerpoint, changing document format (for example by saving any document to DOCX/XSLX/PPTX/PPSX formats in order to be sure that no Macro can be executed) can have impacts or cause issues on document structure/rendering depending on the API used.

https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File

https://www.owasp.org/index.php/Unrestricted_File_Upload

10.3 Using Component with Known Vulnerability

Name of Vulnerability Vulnerable Asp.Net Version

URL http://npccindia.com/

Risk High

CVE/CWE-ID CWE-200,

Description: The HTTP responses returned by this web application include anheader named X-AspNet-Version. The value of this header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites and should be disabled. ASP.NET debugging is enabled on this application. It is recommended to disable debug mode before deploying a production application. By default, debugging is disabled, and although debugging is frequently enabled to troubleshoot a problem, it is also frequently not disabled again after the problem is resolved.

Proof of Concept:

17

CONFIDENTIAL

Recommendation: A specific policy for how to handle errors should be documented, including the types of errors to be handled and for each, what information is going to be reported back to the user, and what information is going to be logged. All developers need to understand the policy and ensure that their code follows it.

Update to the latest version.

10.4 Microsoft Tild directory enumeration

Name of Vulnerability Microsoft Tild directory enumeration

URL http://npccindia.com/

Risk Medium

CVE/CWE-ID CWE-200

Description: It is possible to detect short names of files and directories which have an 8.3 file naming scheme equivalent in Windows by using some vectors in several versions of Microsoft IIS. For instance, it is possible to detect all short-names of ".aspx" files as they have 4 letters in their extensions. This can be a major issue especially for the .Net websites which are vulnerable to direct URL access as an attacker can find important files and folders that they are not normally visible.

Proof of Concept:

18

CONFIDENTIAL

Recommendation: Kindly follow the below link

https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability

10.5 Cookie without HttpOnly Flag set

Name of Vulnerability Asp .net Version disclosure

URL http://npccindia.com/

Risk Low

CVE/CWE-ID CWE-16

Description:

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected scrip

.Proof of Concept:

19

CONFIDENTIAL

Recommendation:

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

20

CONFIDENTIAL

10.6 Using Known Vulnerable component

Name of Vulnerability Vulnerable Jquery

URL http://npccindia.com/

Risk Medium

CVE/CWE-ID CWE- 79

Description: You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.

Proof of Concept:

Recommendation: Update to the latest version of jQuery.

21

CONFIDENTIAL

Observation 1.Email id Hyperlink /npcc.hyd@gmail.com.

/npccsilchar@yahoo.com.

Recommendation: Using a graphic signature is better. Create a graphic that has your email ID written on it. Since the bots cannot read the graphic at this point, your ID will be safe. But when you do that, don’t go ahead and link the graphic to your email ID. Linking graphic to email ID will nullify the purpose of that graphic email address or signature

Email: npcc [dot] hyd [at]gmail [dot]com

2. Using known Vulnerable Component. Update to the latest frame work and Library.

3. Application Flow Exception http://npccindia.com/admin/Homegalleryupload.aspx

Even uploading a jpeg image throws us out of the application.

22

CONFIDENTIAL

23

CONFIDENTIAL

Disclaimer Any advice, opinion, measures or recommendations suggested or supplied by Recon shall not amount to any form of warranty or guarantee that the intended result will be achieved or that any steps taken by the Client pursuant to such advice, opinion, measures or recommendations will guarantee that the Client's IT systems will be free from harmful components or from unauthorized interception or interference. The Client shall be solely responsible for the management, conduct and operation of its business and affairs; including without limitation for deciding on its use of the Results, choosing to what extent it wishes to rely on the Results, and/or implementing the recommendations.

Assessment Limitations

The Web Application Assessment has been limited to the boundaries set in the contract and legal agreement. Following were the limitations while performing the web application audit assessment for Global Infosys client over the proxy server:

The Web Application Assessment exercise is an attempt to identify the existing vulnerabilities present on the web server. The assessment is limited by the state of technology and functionality of software tools or products deployed at that point in time. Recon however does ensure that the tools and methodologies used are the best available and are the most recent versions.

This exercise does not guarantee the successful exploitation of the vulnerabilities later on, which were identified during the scanning and identification phase. Evidences in terms of screenshots have been presented wherever possible in the report for all successful and unsuccessful tests. To ensure that configuration and application changes do not uncover new vulnerabilities and to utilize advantages in scanning techniques that may uncover vulnerabilities in existing systems regular web application assessments be carried out.

Web Application Assessment exercise was only limited to the web application mentioned in the scope of the activity with the normal user access privileges. However, considering the other assets as a launch pad was not considered for the application audit exercise scope and having more access to the target systems as compared to normal access, could also develop the additional attack surface for these assets

The tool used for automated/Manual Web Application Scanning and identifying vulnerabilities. The report developed and the recommendations documented are hence derived from the output of automated/Manual tool and based on the OWASP standard of securing the Web Applications.